US law enforcement has arrested 18 alleged members of an international ATM criminal ring thought to be responsible for the theft of at least $20 million.
On Thursday, the US Department of Justice (DoJ) unsealed an indictment and two superseding indictments revealing charges levied against each individual believed to be part of the scheme.
Prosecutors say the organization used card skimmer equipment on ATMs to harvest the debit card information of unwitting victims.
These skimmers were installed on devices across the US, and while it is not known how many people may be involved, law enforcement says that teams of criminals have previously been deployed across the country to find suitable locations, install, and remove skimmers.
After grabbing card information, members of the ring manufactured counterfeit clone cards which could be used to make fraudulent purchases and withdrawals at ATMs.
The gang manufactured large batches of clone cards and sent money mules out to withdraw funds from their victim's bank accounts.
While ATM compromise was centered in the United States, the components and equipment required to create skimmers came from both the US and abroad. Some individuals were tasked in manufacturing the skimmers, whereas others would launder stolen proceeds by passing cash through bank accounts or funnel their criminal gains through properties and businesses.
See also: Most ATMs can be hacked in under 20 minutes
Hundreds of ATM skimming operations have taken place across the US due to this one group and their influence has been felt in New York and at least 17 other states.
A series of arrests were made across the US, Mexico, and Italy. The 18 suspects are being charged with offenses including access device fraud, wire fraud, bank fraud, and aggravated identity theft in Manhattan Federal Court.
CNET: California proposes regulations to enforce new privacy law
If found guilty, the individuals -- hailing from the US, Romania, and Greece -- may face up between 7.5 and 10 years behind bars for access device fraud; 30 years in prison for conspiracy to commit wire and bank fraud, and a penalty of two years for aggravated identity theft.
In addition, some of the defendants are being charged with money laundering, an accusation that could lead to a maximum sentence of 20 years in prison.
ATMs, given their role as a machine offering the general public convenient access to their money, are a constant target for those seeking to commit banking crimes or identity theft.
TechRepublic: Financial industry spends millions to deal with breaches
While these front-facing devices are important to us, the covert installation of devices containing cameras and skimmer technologies can be missed -- and when it comes to their insides, old operating systems susceptible to malware are common.
Last year, Positive Technologies researchers conducted a range of tests on ATMs from NCR, Diebold Nixdorf, and GRGBanking, and found that many could be compromised in as little as 20 minutes.
The US is not the only country to take the compromise of ATMs seriously. Across the pond, European police have cracked down on ATM hacking rings under Operation Neptune, leading to multiple arrests and the seizure of over 1,000 counterfeit debit cards.
Europol’s top hacking ring takedowns
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0